c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7

Analysis

max time kernel
125s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
Size

480KB
MD5

72ee7d175b2a9b4748bb1f332ae8b407
SHA1

e477094547dccaf6bab7b6edbff680acb2cd7203
SHA256

c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7
SHA512

dce008173b88f7dd090d2f09e4007fe0345b56740dd333f627fb8612ebc7f0476306fa73136410d6623ca177e6922951b0b0bf60f6ebdb43549359e676d788cf
SSDEEP

12288:GKVzzv6+WPUQ0gP2xhahj+P4qGuUuUDlzdMMMMMMMMMMMMMMMMMMTB:4+WPTnemoP4qGvu6zdMMMMMMMMMMMMMw

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe

description	pid	process	target process
PID 3636 set thread context of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe

pid	process
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe

pid	process
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.execmd.exenet.exe

description	pid	process	target process
PID 3636 wrote to memory of 4684	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	cmd.exe
PID 3636 wrote to memory of 4684	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	cmd.exe
PID 3636 wrote to memory of 4684	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	cmd.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 3636 wrote to memory of 4328	3636	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe	c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
PID 4684 wrote to memory of 2964	4684	cmd.exe	net.exe
PID 4684 wrote to memory of 2964	4684	cmd.exe	net.exe
PID 4684 wrote to memory of 2964	4684	cmd.exe	net.exe
PID 2964 wrote to memory of 400	2964	net.exe	net1.exe
PID 2964 wrote to memory of 400	2964	net.exe	net1.exe
PID 2964 wrote to memory of 400	2964	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
"C:\Users\Admin\AppData\Local\Temp\c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      PID:400
- C:\Users\Admin\AppData\Local\Temp\c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
  C:\Users\Admin\AppData\Local\Temp\c4a6e2a61bb65a5893284ad5fc8e96fde3d189f89edc1ea75799329b556c28b7.exe
  2⤵
  PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-138-0x0000000000000000-mapping.dmp

Download
memory/2964-137-0x0000000000000000-mapping.dmp

Download
memory/3636-133-0x0000000002390000-0x0000000002394000-memory.dmp

Filesize
16KB

Download
memory/4328-134-0x0000000000000000-mapping.dmp

Download
memory/4328-135-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4328-139-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4328-140-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4684-132-0x0000000000000000-mapping.dmp

Download